帮助
英语(美国) | English (US) 日本語 | Japanese 中文 | Chinese (Simplified)

AN13222 i.MX Manufacturing Protection verification keys issue

取消
开启建议
自动建议可通过在您键入时建议可能的匹配,而快速缩小您的搜索结果范围。
显示结果 
显示  仅  | 搜索替代 
您的意思是: 

AN13222 i.MX Manufacturing Protection verification keys issue

‎08-09-2022 01:13 PM
4,941 次查看
valentinraevsky
Contributor I

Dear NXP Support,

We’ve followed the instructions of the AN13222 i.MX Manufacturing Protection but ran into a verification keys issue on our imx8mm device.

Here is our brief procedure:

U-Boot (2021.04):

IOT-GATE-iMX8 => mfgprot pubk
Public key:
<REDACTED_MF_PUBLIC_KEY>

IOT-GATE-iMX8 => mw 0xbe000000 0x11BADA55
IOT-GATE-iMX8 => md 0xbe000000 1

be000000: 11bada55

IOT-GATE-iMX8 => mfgprot sign 0xbe000000 4

Signing message with Manufacturing Protection Private Key
Message: 55 DA BA 11
Message Representative Digest(SHA-256):
7D334EA2FF597D06B49D0F936A6E308B74C578148A9FD41A21E0B0F457ED371C
Signature:
C:
9323E4CA5734390874065087435BAF6D3E462844ACA57BFB5DD5E1AA47E7A5E8
d:
09A6460EE68FD82C8BC1E011FC705EB3FB618583C436D91395A295FF1370DA6A

Kernel (5.15.32):

./verify -m 55daba11 -k 04<REDACTED_MF_PUBLIC_KEY> -c 9323E4CA5734390874065087435BAF6D3E462844ACA57BFB5DD5E1AA47E7A5E8 -d 09A6460EE68FD82C8BC1E011FC705EB3FB618583C436D91395A295FF1370DA6A

Public Key: 04<REDACTED_MF_PUBLIC_KEY>
Public key verified

Message digest:
SHA-256: f6aa60da7f6eed15
Signature:
c: 9323E4CA5734390874065087435BAF6D3E462844ACA57BFB5DD5E1AA47E7A5E8
d: 09A6460EE68FD82C8BC1E011FC705EB3FB618583C436D91395A295FF1370DA6A

EC Signature: Invalid

 

We’d appreciate it if you could help in fixing the issue.

 

Thanks in advances,

Valentin Raevsky.

标签 (1)
0 项奖励
回复
15 回复数

‎08-29-2022 12:14 AM
4,877 次查看
Sanket_Parekh
NXP TechSupport
NXP TechSupport

Hi @valentinraevsky 

Can you please share the u-boot configuration file?

Thanks & Regards

Sanket Parekh

0 项奖励
回复

‎09-09-2022 12:37 PM
4,824 次查看
valentinraevsky
Contributor I

Hi,

The U-boot config is attached.

 

Regards,

Valentin.

预览文件
43 KB
0 项奖励
回复

‎09-11-2022 09:19 PM
4,808 次查看
Sanket_Parekh
NXP TechSupport
NXP TechSupport

Hi @valentinraevsky 

For Manufacturing protection verification below configuration should be enable in u-boot.

CONFIG_SECURE_BOOT=y

Please add the same and check the Manufacturing protection verification.

Thanks & Regards

Sanket Parekh

0 项奖励
回复

‎09-15-2022 08:31 AM
4,789 次查看
bobjenkins
Contributor I

Also, please note that our i.MX8MM units are not affected by this issue: https://community.nxp.com/t5/Known-Limitations-and-Guidelines/i-MX8M-8MM-CAAM-Manufacturing-Protecti....

0 项奖励
回复

‎09-15-2022 06:48 AM
4,792 次查看
bobjenkins
Contributor I

Hello Sanket,

We tried to add "CONFIG_SECURE_BOOT=y" to either the defconfig or .config directly. However, when building the uboot, the change gets automatically reverted.

The closest config option I was able to find was "CONFIG_EFI_SECURE_BOOT". However, when we set that to "CONFIG_EFI_SECURE_BOOT=y", and flashed the HAB signed uboot to the board, the verification of manufacturing protection signed messages returns the same "EC Signature: Invalid" error.

Any thoughts on what to try next?

Cheers and Thanks!

Bob

0 项奖励
回复

‎09-15-2022 10:35 PM
4,783 次查看
Sanket_Parekh
NXP TechSupport
NXP TechSupport

Hi @bobjenkins 

I hope you are doing well.

As per the attached snapshot few configurations are enable for manufacturing protection verification.

You are using IMX8MM board, So you will have to add all this configuration in imx8mm_evk_defconfig file.

Thanks & Regards

预览文件
31 KB
0 项奖励
回复

‎09-21-2022 07:48 AM
4,761 次查看
bobjenkins
Contributor I

Hey @Sanket_Parekh,

I added those config options to the "imx8mm_evk_defconfig" file, recompiled uboot, re-signed with HAB and flashed it to the board. I'm still getting "EC Signature: Invalid" verifying a message signed with e.g., "mfgprot sign 0xbe000000 4".

Cheers and Thanks!
Bob

0 项奖励
回复

‎10-19-2022 08:22 AM
4,568 次查看
vraevsky
Contributor II
Hello Bob,

Can you please share the "bdinfo" from the board that the command "mfgprot sign 0xbe000000 4" were issued.

Thanks in advances,
Valentin.
0 项奖励
回复

‎09-23-2022 06:01 AM
4,727 次查看
Sanket_Parekh
NXP TechSupport
NXP TechSupport

Hi @bobjenkins ,

I hope you are doing well.
 
have you referred to section 3.2 Private key persistence in AN13222?
please configure the CSF as shown in section 3.2.
 
Thanks & Regards
Sanket Parekh
0 项奖励
回复

‎10-19-2022 09:02 AM
4,563 次查看
vraevsky
Contributor II

Dear NXP Support,

Please help us in understanding what we did wrong with issuing the "AN13222.pdf"

We have performed two test:
1) TEE_LOAD_ADDR = "0xbe000000"
attached log: compulab-imx8mm-TEE_LOAD_ADDR-0xbe000000.log
2) TEE_LOAD_ADDR = "0x56000000"
attached log:compulab-imx8mm-TEE_LOAD_ADDR-0x56000000.lgo

We’d appreciate it if you could help in solving the issue.

Regards,
Valentin.

compulab-imx8mm-TEE_LOAD_ADDR-0x56000000.log
compulab-imx8mm-TEE_LOAD_ADDR-0xbe000000.log
0 项奖励
回复

‎10-27-2022 02:31 AM
4,398 次查看
Sanket_Parekh
NXP TechSupport
NXP TechSupport

Hi @valentinraevsky,

Reason for EC Signature: Invalid is  "The Manufacturing Protection private key is cleared during the boot unless the signature (CSF) contains the Unlock command, informing the HAB/AHAB to leave the key."
 
Could you please try adding the 'Unlock' command in the CSF description file, as shown below:
      [Unlock] 
      Engine = CAAM 
      Features = MFG
 
You can refer to section "3.2 Private key persistence" in the application note "AN13222 i.MX Manufacturing Protection."
 
Also, kindly refer to "uboot-imx/doc/imx/habv4/guides/mx8m_secure_boot.txt" for more information.

 

Thanks & Regards

Sanket Parekh

0 项奖励
回复

‎10-28-2022 01:29 PM
4,378 次查看
vraevsky
Contributor II

Hi @Sanket_Parekh,

Thanks for your reply. The csf_spl/csf_fit have this block. Unfortunately, it does not work.

Files used for signing:

https://github.com/compulab-yokneam/cst-tools/blob/master/imx8/hab/csf_spl.in

https://github.com/compulab-yokneam/cst-tools/blob/master/imx8/hab/csf_fit.in

 

Regards,

Valentin.

0 项奖励
回复

‎10-31-2022 04:43 AM
4,354 次查看
Sanket_Parekh
NXP TechSupport
NXP TechSupport

Hi @vraevsky 

Please perform the steps given in section  4.1 MP enablement verification in AN13222 i.MX Manufacturing Protection and send the corresponding output.
 
Thanks & Regards
Sanket Parekh
0 项奖励
回复

‎08-26-2022 05:22 AM
4,892 次查看
Sanket_Parekh
NXP TechSupport
NXP TechSupport

Hi @valentinraevsky 

Can you please try the below mentioned command?

./verify -m 11BADA55 -k 04<REDACTED_MF_PUBLIC_KEY> -c 9323E4CA5734390874065087435BAF6D3E462844ACA57BFB5DD5E1AA47E7A5E8 -d 09A6460EE68FD82C8BC1E011FC705EB3FB618583C436D91395A295FF1370DA6A

Thanks & Regards

Sanket Parekh

0 项奖励
回复

‎08-26-2022 08:14 AM
4,888 次查看
valentinraevsky
Contributor I

It doesn't work. Replies with the same result:

./verify -m 11BADA55 -k 04<REDACTED_MF_PUBLIC_KEY> -c 9323E4CA5734390874065087435BAF6D3E462844ACA57BFB5DD5E1AA47E7A5E8 -d 09A6460EE68FD82C8BC1E011FC705EB3FB618583C436D91395A295FF1370DA6A

Public Key: 04<REDACTED_MF_PUBLIC_KEY>
Public key verified

Message digest:
SHA-256: 31e972db714a19b6
Signature:
c: 9323E4CA5734390874065087435BAF6D3E462844ACA57BFB5DD5E1AA47E7A5E8
d: 09A6460EE68FD82C8BC1E011FC705EB3FB618583C436D91395A295FF1370DA6A

EC Signature: Invalid

0 项奖励
回复